On Tue, 29 Mar 2005, Serassio Guido wrote:
>> ISA server have this kind of behavior, and if could re-create with squit it
>> would be pretty nice.
>
> I know the ISA Server behaviour.
>
> What you asking for, is trigger again an authentication request to the
> browser when the user authentication is correct, but an external acl, or any
> other acl, deny the access to Squid.
Hmm.. this is how it is supposed to work.
Ah, no it doesn't for external acls, only proxy_auth.
This does not work:
acl group external ...
http_access deny !group
but this does work:
acl group external ...
acl all_users proxy_auth REQUIRED
http_access deny !group all_users
and this forces relogin to not take place:
acl some_auth_acl ....
acl all src 0.0.0.0/0
http_access deny !some_auth_acl all
> You can open a feature request on Bugzilla.
Yes, please do. Fixing this to also work on external acls like expected is
pretty easy, but a bug report is needed to connect the patch to.
We should probably also add a directive to globally turn on/off this
automatic request for a new login on access denials while touching this
part of the code. As you say not all admins want automatic request for
login on access denial. Ad even if this can be controlled by http_access
rule logics as shown above, having a global directive may be easier for
some.
Regards
Henrik
Received on Tue Mar 29 2005 - 15:56:49 MST
This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:03 MST